You should check your mail server logs and you will be much wiser about what is happening. The location of these logs depends on your OS distribution and mail server software, which was not specified. Or you "tcpdump -s0 -A" to see the real time SMTP conversations as someone suggested.
–
snapAug 2 '11 at 17:33

Give us more information. Is your server/computer a mail server? Or is it normal computer? Are you behind NAT or not? Why are you having 25 port open (if not for accepting emails)? Give us more background.
–
MadBoyAug 2 '11 at 17:36

6 Answers
6

Yes.

Or at least, it's being attempted. If you have port 25 open, you can be guaranteed someone's trying to relay mail through you. If you have port 80 open, you can be guaranteed someone's trying to exploit your site. If you have port 22 open, you can be guaranteed someone's trying to brute force you. Notice a pattern?

Lucky for you, they're almost entirely amateurish. Use tools like your log files, telnet, and tcpdump to verify that these are only attempts and you're not successfully being used to relay spam.

Use the -A -s 0 flags to get the entire packet. What you're looking for is to see if they're able to relay mail through you. You can also use telnet to try manually sending an email from various IPs.
–
MattJul 18 '10 at 20:59

how can i find which program or file or script is sending (or trying to send) emails? i do have some activity, that's for sure....
–
user48058Jul 27 '10 at 20:04

Port 25 is the standard port SMTP traffic runs on. If you intend for you system to be an email server than those might be legit servers trying to send you or your users email. If you do not intend your system to be an email server, figure out how to get port 25 turned off.

Historically email servers would be configured to politely send on email for other servers. Today this is bad, bad, bad. It's called being an open email relay. It would be wise for you to verify that you are not doing this. But, don't go to far and try to block port 25 traffic if you do mean to accept email from the outside world.

If you need it open, you need it open. Try to lock down who you accept smtp connections from. YOu can get an offsite spam/virus filter, which hosts the DNS MX recorded servers. Then only accetp smtp from their network.

Have you an email server on this machine?
If not, close the port (firewall) and that should be sufficient.
If yes, then look in your mail.log (/var/log/mail.log) to see what is it happening there. It will say who connected and what was done.
If the IPs are trying to send a lot of email to unexistent users on your domain or to other domains or other "ilegal" activity (blocked or successful) I would drop them in the firewall if they do this a lot and everyday but it's only a personal choice, not a necessary option and you cannot stay there all the day looking at all the connections to block everybody!!!

After that, I think you should investigate to see if your e-mail is relaying e-mail for who ask for it or not. Anyways if you have a mail server, people will try to use it. Nothing you can do against them trying... but you should be able to see in the log if they succeeded to relay or if they were blocked. Make sure your email server is configured to not relay for untrusted or unknown servers (or known and not allowed of course! :)).

Edit: just remembered now... if you do not have an email server and port 25 is open, I think you need to have a look at the other ports too and close the unused.

If your server/computer is mail server please verify it with http://mxtoolbox.com/ to see if it's not an open relay. If MxToolbox will say it's not you're good to assume most likely the incoming connections are not doing you any harm (except for trying to relay thru you which is unsuccessful). You could check your server if it's on the spam list to verify you're not sending spam yourself.